Flame malware - The biggest? The baddest? A little perspective

Filed Under: Featured, Malware

The media has gone crazy about the Flame worm which has been seen infecting computers in the Middle East (Iran, in particular).

Are the news headlines doing a good job of educating the public about the seriousness of the incident, however?

Flame virus bigger than Stuxnet

Flame has been called "the most complex threat", the world's "most sophisticated cyber weapon", and we've even been told it's "much bigger than Stuxnet".

But what does that actually mean?

Yes, Flame is bigger than Stuxnet. If you're counting bytes.

Flame, with all of its modules and libraries, can come in at close to 20MBytes. That's about 40 times larger than Stuxnet - which was itself portly by malware standards. So, yes, Flame is much bigger.

But my guess is that number of bytes wasn't what you were thinking of when you read the headline.

After all, as we should always remind ourselves, size doesn't matter. What matters to most computer users is whether they are likely to become infected by the malware or not, and how many computers it has infected.

Kaspersky, which made the biggest media splash regarding Flame has only discovered a few hundred computers infected by the malware.

That's not that big.

Apple bite image. Courtesy of ShutterstockCertainly, it's pretty insignificant when you compare it to the 600,000 Mac computers which were infected by the Flashback malware earlier this year.

In fact, there were said to be 274 Flashback-infected computers in Apple's home town of Cupertino alone - that's more infections than there have been found of Flame in *all* of Iran!

And let's not forget other malware outbreaks of past years - Conficker, Sasser, Sobig, Code Red - all much more significant in terms of number of infections than Flame.

20MB is a hefty piece of code by malware standards, there's no doubt about that - even if much of it is made up of code libraries.

But it's worth realising that it's much *much* easier writing protection for a piece of malware than *analysing* what it actually does.

What's going to take a while is dissecting Flame to find out all of its quirks and functionality, not protecting against it. When you hear anti-virus experts talk about Flame's complexity, chances are that that's what they're referring to.

Evil flames. Image courtesy of ShutterstockBecause, at its simplest level, Flame isn't doing anything different from the vast majority of other malware we see on a typical day.

Every day, we see approximately 100,000 new pieces of malware and most of them have the ability to steal information (by grabbing keypresses, taking screenshots, stealing your files) just like Flame.

Of course, Flame doesn't really represent much of a threat anymore. Every anti-virus worth its salt (and even a few crummy ones I expect) now detect it and protect against it.

Whoever was behind it will likely be feeling pretty grumpy, or working hard on a new version which they hope will be able to skirt past defences.

So let's keep things in perspective. Chances are that your computer is more at threat from some of the many other examples of malware that are in existence out there.

Lethal? Really? C'mon

Furthermore, you shouldn't need to be doing anything out of the ordinary to protect against these threats - keep your anti-virus and security patches up to date, take care over what software you install and the USB sticks you insert into your PC, run a layered defence inside your organisation. You know the drill by now.

I'm not saying that Flame isn't newsworthy. It clearly is.

If I was a betting man, I'd probably put money on a state agency being involved in the creation of Flame. This seems to be being reported as fact, but there certainly isn't any proof yet.

Not that the absence of evidence will stop some of the reports - after all, Flame has all the familiar ingredients to add to the ongoing narrative of how states could be using the internet to spy upon each other.

But that's nothing we haven't heard before, and it's hard to think of anything new that typical computer users should be doing to protect themselves.

Sophos products protect users against the Flame threat, identifying it as W32/Flame-A.

Evil flames and apple bite image courtesy of Shutterstock.

, , , , , ,

You might like

10 Responses to Flame malware - The biggest? The baddest? A little perspective

  1. Brad · 874 days ago

    The CBC called it the "most lethal cyberweapon to date" (http://www.cbc.ca/news/technology/story/2012/05/28/tech-malware-flame-cyberattack.html).

    Lethal? Really, CBC?

  2. iop · 873 days ago

    A measure of how big/serious/dangerous some malware is can the length of time it takes to be discovered. Once identified it can be protected against and it doesn't matter how many harmful features it has.

    If there is a way of quantifying the (potential) damage of those features though, you would multiply that by the time the malware is active to get a measure of total (potential) damage/how serious it was. I'm not sure how old malware normally is before it is detected but it's already been said that evading detection is what makes this case so sophisticated and a big deal.

    There's not much new a typical user should do to protect themselves but is there anything new that antivirus companies can or need to do in light of this (particularly the ability to hide)?

  3. roy jones jr · 873 days ago

    So what are we doing now: In the 21st century we have supposed legitimate governments or companies doing malicious activities in some attempt to get money under the table?

  4. VFAC · 873 days ago

    Perhaps the importance of these discoveries is that it changes the tone of the wider discussions about cyberwarfare. They have already made the step from talking in terms of 'if' to 'when'. Widespread knowledge of these tools might help people to understand that the time frame is 'right now'.

  5. Tim · 873 days ago

    Well despite being a Mac user I'm still alive... and still waiting for Sophos to find some Malware so that I can join the 600,000 Club.

    The way to defend yourself against this new Malware is to do what's good practice anyway. So people should be being educated about that... but it's difficult to herd cats.

  6. Nigel · 873 days ago

    "The way to defend yourself against this new Malware is to do what's good practice anyway."

    How can you ever hope to join the 600,000 Club with an attitude like that? ;-)

  7. Fakhri · 871 days ago

    Then what is the reason for UN to issue a virus warning for the first time in its history !?

    Do you all think that Iranian users or government can take a cool and realxed view about Flame as the writer ? or they are under the influence of the same hype and craziness ?

  8. Clim · 871 days ago

    Find 10 differences:

    http://nakedsecurity.sophos.com/2010/10/06/stuxnet-hype-what-do-i-need-to-know/

    Was stuxnet that terrible after all? What the big deal to destroy a half of hundreds of some centrifuges somewhere? Who cares? Average users have not been exposed, that's ok! The rest is insignificant.

  9. guest · 855 days ago

    MY MAC HAS SOMETHING!! HELP! it acts like any of these described above. yeah, yeah, i live in the USA, but i do deal with the middle east with my computer. they send me videos, pics, utubes, twitters, ustreams, but i'm not on facebook, thank goodness, but they can read my google+, which i rarely use. i am not friendly with some of them, we have some heated discussions sometimes.

    i've been amazed at the hiding places my original files are, and have no idea which versions of everything on the computer are the ones i should have, including all system files, and i can't get permission to delete them.

    it took Sophos off line, with a special remove tool, does it's ridiculous job, during my power up - whether i'm on line or not (at least i'm pretty sure it does.) it still adds new modules if it can get in. i have to get offline asap, hackers work late at night, i don't want to be seen.

    anyway, it made a new, modified version on my machine, and i can't get rid of it. if i download a new version of anti-virus, it just gets eaten up by the first one ruined on may 1 of this year. i downloaded new copies today, after i tried to remove all traces of sophos and naked security, the fakes it made can't be moved or deleted.

    it is slowly driving me insane.

    any suggestions will be greatly appreciated. i know i have no clue about what i'm doing, so any nasty comments will be a waste of your time, not mine. but if you're including nastiness with a good help, bring it on, with many thanks!

    i hope anyone can make sense of what i just wrote. and thank any/all of you in advance.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.